Setting up WireGuard

install

both client and server

ubuntu

apt install wireguard wireguard-tools nftables

slackware

only wireguard-tools is required, as -current contains the module already

#sbopkg -i wireguard-linux-compat
sbopkg -i wireguard-tools

key generation

required on any peer

mkdir ~/wg/
chmod 700 ~/wg/
cd ~/wg/

echo $HOSTNAME
wg genkey > $HOSTNAME.key
wg pubkey < $HOSTNAME.key > $HOSTNAME.pub

chmod 400 *

server setup

cd /etc/wireguard/

cat > wg0.conf <<EOF
[Interface]
PrivateKey = `cat $HOME/wg/$HOSTNAME.key`
Address = 10.8.8.1/24
ListenPort = 51820
SaveConfig = false

[Peer]
PublicKey = CLIENT-PUBKEY
AllowedIPs = 10.8.8.2/32
EOF

cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p

chmod -x /etc/nftables.conf
vi /etc/nftables.conf

table ip nat
flush table ip nat
table ip nat {
        # SNAT
        chain postrouting {
                type nat hook postrouting priority srcnat;
                ip saddr 10.8.8.0/24 oif INTERNAL-NIC snat INTERNAL-IP;
        }
}

client setup

cd /etc/wireguard/

cat > wg0.conf <<EOF
[Interface]
PrivateKey = `cat $HOME/wg/$HOSTNAME.key`
Address = 10.8.8.2/24

[Peer]
PublicKey = SERVER-PUB-KEY-HERE
AllowedIPs = 10.8.8.0/24, ROUTED-INTERNAL-CIDR
Endpoint = SERVER-ADDRESS-HERE:51820

PersistentKeepalive = 15
EOF

ready to go

shared

lsmod | grep wireguard
systemctl restart wg-quick@wg0.service
systemctl status wg-quick@wg0.service

server node

systemctl enable wg-quick@wg0.service

systemctl restart nftables
systemctl status nftables
systemctl enable nftables

shared

systemctl restart wg-quick.target

wg show

acceptance

from some client

ping the server within the tunnel

ping 10.8.8.1

go through NAT on the other side

ping INTERNAL-IP

troubleshooting

on some client

nmap -sU -p 51820 SERVER-ADDRESS
netstat -rn --inet
tcpdump -ni eth0 udp port 51820 -vvv

resources

https://www.wireguard.com/install/

https://www.wireguard.com/quickstart/

https://www.wireguard.com/quickstart/#key-generation

https://slackbuilds.org/repository/14.2/network/wireguard-linux-compat/

https://slackbuilds.org/repository/14.2/network/wireguard-tools/

https://wiki.archlinux.org/title/WireGuard –> file-based configs

tutorials

https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04

https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/

ops

https://vmwaremine.com/2020/10/01/how-to-check-vpn-link-status-on-wireguard/

troubles

https://www.reddit.com/r/WireGuard/comments/a0s6p2/troubleshooting_wireguard_any_logs_available/

https://www.procustodibus.com/blog/2021/03/wireguard-logs/

https://serverfault.com/questions/1020279/how-to-see-debug-logs-for-wireguard-e-g-to-see-authentication-attempts

https://stackoverflow.com/questions/61109400/wireguard-how-to-log-network-activity

https://lists.zx2c4.com/pipermail/wireguard/2019-March/004027.html

moar / dns

https://serverfault.com/questions/1058255/configure-dns-routing-in-wireguard

moar status

https://www.vmwaremine.com/2020/10/01/how-to-check-vpn-link-status-on-wireguard/

https://www.procustodibus.com/blog/2021/01/how-to-monitor-wireguard-activity/

moar nftables (server side)

https://procustodibus.com/blog/2021/11/wireguard-nftables/

moar allowed ips

https://try.popho.be/wg.html

NAT and Firewall Traversal Persistence https://www.stavros.io/posts/how-to-configure-wireguard/ https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04 -->
HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun